implement support for integration testing with quickstart

Author: ekoby

gradle/libs.versions.toml

@@ -10,6 +10,7 @@ shadow-jar = "8.3.5"
 
 # OpenZiti Edge API
 ziti-api = "0.26.39"
+ziti-cli = "1.3.3"
 
 # third party
 lazysodium-java = "5.1.4"

ziti/build.gradle.kts

@@ -1,4 +1,6 @@
 import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar
+import kotlinx.coroutines.delay
+import kotlinx.coroutines.runBlocking
 
 /*
  * Copyright (c) 2018-2021 NetFoundry Inc.
@@ -94,6 +96,92 @@ tasks.register<Jar>("dokkaJar") {
     from(tasks.dokkaJavadoc.flatMap { it.outputDirectory })
 }
 
+@Suppress("UnstableApiUsage")
+testing {
+    suites {
+        val integrationTest by registering(JvmTestSuite::class) {
+            dependencies {
+                implementation(libs.kotlin.coroutines.test)
+                implementation(libs.slf4j.simple)
+                implementation(project(":management-api"))
+            }
+        }
+    }
+}
+
+kotlin {
+    target {
+        // make sure we can test internal components
+        compilations.getByName("integrationTest").associateWith(compilations.getByName("main"))
+    }
+}
+
+val zitiVersion = libs.versions.ziti.cli.get()
+val binDir = layout.buildDirectory.dir("bin").get()
+val zitiCLI = binDir.file("ziti")
+val quickstartHome = layout.buildDirectory.dir("quickstart").get()
+
+tasks.register<Exec>("buildZiti") {
+    group = LifecycleBasePlugin.BUILD_GROUP
+    description = "Builds the Ziti CLI"
+    environment("GOBIN", binDir.asFile.absolutePath)
+    commandLine("go", "install", "github.com/openziti/ziti/ziti@v${zitiVersion}")
+    outputs.file(zitiCLI)
+}
+
+tasks.register("start-quickstart") {
+    description = "Starts Ziti quickstart"
+    val qsLog = layout.buildDirectory.file("quickstart.log").get().asFile
+    val errLog = layout.buildDirectory.file("error.log").get().asFile
+
+    doLast {
+        val pb = ProcessBuilder().apply {
+            command(
+                zitiCLI.toString(),
+                "edge", "quickstart", "--home", quickstartHome.asFile.absolutePath)
+            redirectOutput(qsLog)
+            redirectError(errLog)
+        }
+        val qsProc = pb.start()
+        ext["quickstart"] = qsProc
+        runBlocking {
+
+            while(true) {
+                delay(1000)
+                if (!qsProc.isAlive) {
+                    throw GradleException("quickstart failed: check ${errLog.absolutePath}")
+                }
+
+                val started = kotlin.runCatching {
+                    qsLog.readLines().find { it.contains("controller and router started") }
+                }
+                if (started.getOrNull() != null) {
+                    logger.lifecycle("quickstart is ready")
+                    break
+                }
+
+                logger.lifecycle("waiting for qs router...")
+            }
+        }
+    }
+    dependsOn("buildZiti")
+}
+
+tasks.register("stop-quickstart") {
+    doLast {
+        val proc = ext["quickstart"] as Process?
+        proc?.let {
+            logger.lifecycle("stopping quickstart...")
+            it.destroy()
+        }
+    }
+}
+
+tasks.named("integrationTest") {
+    dependsOn("start-quickstart")
+    finalizedBy("stop-quickstart")
+}
+
 publishing {
     publications {
         create<MavenPublication>(project.name) {

ziti/src/integrationTest/kotlin/org/openziti/api/ControllerTests.kt

@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2018-2025 NetFoundry Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.openziti.api
+
+import kotlinx.coroutines.test.runTest
+import org.junit.jupiter.api.BeforeAll
+import org.junit.jupiter.api.Test
+import org.openziti.integ.ManagementHelper
+import org.openziti.integ.ManagementHelper.enrollmentApi
+import org.openziti.integ.ManagementHelper.identityApi
+import org.openziti.integ.ManagementHelper.sslContext
+import org.openziti.management.model.EnrollmentCreate
+import org.openziti.management.model.IdentityCreate
+import org.openziti.management.model.IdentityType
+import java.net.URL
+import java.time.OffsetDateTime
+
+
+class ControllerTests {
+
+    companion object {
+        @JvmStatic
+        @BeforeAll
+        fun init() {
+            val identity = identityApi.createIdentity(
+                IdentityCreate().name("test-${System.nanoTime()}").isAdmin(false).type(IdentityType.DEVICE)
+            ).get().data!!
+
+            val exp = OffsetDateTime.now().plusDays(1)
+            val enrollReq = EnrollmentCreate()
+                .identityId(identity.id!!)
+                .method(EnrollmentCreate.MethodEnum.OTT)
+                .expiresAt(exp)
+            val enrollment = enrollmentApi.createEnrollment(enrollReq).get().data
+            val token = identityApi.getIdentityEnrollments(identity.id).get().data.first().jwt
+            println(token)
+        }
+
+    }
+
+    @Test
+    fun testCreateController() = runTest {
+
+//        assertThrows<Controller.NotAvailableException> {
+//            Controller.getActiveController(listOf(), sslContext)
+//        }
+//
+//        assertThrows<Controller.NotAvailableException> {
+//            Controller.getActiveController(listOf(URL("https://google.com")), sslContext)
+//        }
+//
+//        val ctrl = assertDoesNotThrow {
+//            Controller.getActiveController(listOf(
+//                URL("https://google.com"),
+//                URL("https://localhost:1280")
+//            ), sslContext)
+//        }
+//
+//        Assertions.assertEquals("/edge/client/v1", ctrl.endpoint.path)
+
+        val ctrl = Controller(URL(ManagementHelper.api.baseUri), sslContext)
+        ctrl.version()
+    }
+}

ziti/src/integrationTest/kotlin/org/openziti/integ/ManagementHelper.kt

@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 2018-2025 NetFoundry Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.openziti.integ
+
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.asExecutor
+import org.openziti.management.ApiClient
+import org.openziti.management.api.AuthenticationApi
+import org.openziti.management.api.EnrollmentApi
+import org.openziti.management.api.IdentityApi
+import org.openziti.management.api.InformationalApi
+import org.openziti.management.model.Authenticate
+import org.openziti.util.parsePKCS7
+import java.net.InetAddress
+import java.net.URI
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+import java.security.KeyStore
+import java.security.SecureRandom
+import java.security.cert.X509Certificate
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509TrustManager
+
+internal object ManagementHelper {
+
+    private val defaultURL = "https://${InetAddress.getLocalHost().hostName}:1280"
+
+    private object DefaultCredentials: Authenticate() {
+        init {
+            username = "admin"
+            password = "admin"
+        }
+    }
+
+    private val trustAllssl: SSLContext = SSLContext.getInstance("TLS").apply {
+        init(null, arrayOf(TrustAll), SecureRandom())
+    }
+
+
+    internal val sslContext: SSLContext by lazy {
+        val clt = HttpClient.newBuilder().sslContext(trustAllssl).build()
+        val req = HttpRequest.newBuilder(URI.create("$defaultURL/.well-known/est/cacerts")).build()
+        val pkcs7 = clt.send(req, HttpResponse.BodyHandlers.ofByteArray()).body()
+        parsePKCS7(pkcs7).makeSSL()
+    }
+
+    internal val identityApi by lazy { IdentityApi(api) }
+    internal val enrollmentApi by lazy { EnrollmentApi(api) }
+
+    private object TrustAll : X509TrustManager {
+        override fun checkClientTrusted(p0: Array<out X509Certificate>?, p1: String?) {}
+        override fun checkServerTrusted(p0: Array<out X509Certificate>?, p1: String?) {}
+        override fun getAcceptedIssuers(): Array<X509Certificate> = arrayOf()
+    }
+
+    private fun List<X509Certificate>.makeSSL(): SSLContext {
+        val ks = KeyStore.getInstance(KeyStore.getDefaultType()).apply {
+            load(null, null)
+            this@makeSSL.forEach {
+                setCertificateEntry(it.subjectX500Principal.name, it)
+            }
+        }
+
+        val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()).apply {
+            init(ks)
+        }
+
+        return SSLContext.getInstance("TLS").apply {
+            init(null, tmf.trustManagers, SecureRandom())
+        }
+    }
+
+
+    internal val api: ApiClient by lazy {
+        ApiClient().apply {
+            updateBaseUri(defaultURL)
+            setHttpClientBuilder(
+                HttpClient.newBuilder()
+                    .sslContext(sslContext)
+                    .executor(Dispatchers.IO.asExecutor())
+            )
+
+            val mgmtUrl = InformationalApi(this@apply)
+                .listVersion().get()
+                .data.apiVersions?.get("edge-management")?.get("v1")?.path!!
+            setBasePath(mgmtUrl)
+
+            val token = AuthenticationApi(this@apply)
+                .authenticate("password", DefaultCredentials)
+                .get().data.token
+            setRequestInterceptor { it.header("zt-session", token) }
+        }
+    }
+}

ziti/src/integrationTest/resources/simplelogger.properties

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2018-2022 NetFoundry Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+org.slf4j.simpleLogger.defaultLogLevel=trace
+org.slf4j.simpleLogger.log.tlschannel=warn
+org.slf4j.simpleLogger.showDateTime=true
+#org.slf4j.simpleLogger.dateTimeFormat=yyyy-MM-dd HH:mm:ss:SSS Z
+

ziti/src/main/kotlin/org/openziti/util/Certs.kt

@@ -117,6 +117,13 @@ internal class PrivateKeySigner(val key: PrivateKey, val sigAlg: String) : Conte
     override fun getSignature(): ByteArray = sig.sign()
 }
 
+internal fun parsePKCS7(bundle: ByteArray) =
+    Base64.getMimeDecoder().decode(bundle).run {
+        CertificateFactory.getInstance("X.509")
+            .generateCertificates(inputStream())
+            .filterIsInstance<X509Certificate>()
+    }
+
 internal fun getCACerts(api: URI, serverKey: Key): Collection<X509Certificate> {
     val con = api.resolve("/.well-known/est/cacerts").toURL().openConnection() as HttpsURLConnection
     con.setRequestProperty("Accept", "application/pkcs7-mime")
@@ -133,7 +140,7 @@ internal fun getCACerts(api: URI, serverKey: Key): Collection<X509Certificate> {
             val bytes = Base64.getMimeDecoder().decode(b)
             val cf = CertificateFactory.getInstance("X.509")
 
-            return cf.generateCertificates(bytes.inputStream()) as Collection<X509Certificate>
+            return cf.generateCertificates(bytes.inputStream()).filterIsInstance<X509Certificate>()
         }
     }